Security Best Practices

Software Best Practices

Software best practices include several categories.

Input Validation - Check input from users of the system to be sure it contains no harmful content and to be sure the information entered is only the information expected. Repair improper input when possible or request re-entry of information.

Output Validation - Check information being sent to users of the system to be sure no harmful content is being sent. If harmful content is detected, an administrator should be notified.

Error checking

Access Failure - Be sure the program does not perform in an unexpected manner when access to the registry, any external resource, or a file fails.

Buffer Overflow - Code should be written so when data is put into a buffer, the buffer will not overflow. This means there should be checks to be sure more information than the buffer can hold will not be written into it.

Check files loaded for legitimacy - Files that are loaded should be checked to be sure they are the expected file. This prevents unexpected program performance and possible security problems.

Check to be sure modification to the system environment cannot cause the wrong file to load.

Error handling - Error handling determines what the program will do when there is an error. The error may be an operator error or an internal error. All possible errors must have an appropriate response designed and implemented within the program.

Code structure - Code should be required to be organized into modules which provide or support the implementation of one idea, functional area, or concept. Code should be writen to meet documentation standards and be commented according to the standard. It is important that structure is supported by requiring parts of the program to use specific modules to execute a capability such as reading or writing to a database. The interface to the database should be supported by one module (or group) and all parts of the program must be required to use that interface rather than directly providing that capability itself. This will keep the program more maintainable. If the database is changed, only the module interfacing to it should need to change.

Software Modules - Modules are used to encapsulate related functions. For example, a module may be created to interface to the database. All parts of the program must use the database interface module to interface to the database.

Software Functions - A software function is a subroutine which performs one action. An example would be to send a string of text to the computer screen.

Requirements for Variables - How local and global variables are used, how they are named, and how memory is allocated.

Quality code requirements - Includes code documentation, limits on use of global data, and use of shared and tested code.

Software Quality assurance

Software code review

Code testing

Software change control

Best practice methods - Software best practices may also include proper methods to perform certain capabilities such as creating accounts securely, performing password resets securely, contacting a webmaster, and other functional capabilities. Other capabilities that require consideration for best practices include web application controls, session management, data encryption, and interaction with other applications.